Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 13:08
Static task
static1
Behavioral task
behavioral1
Sample
0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe
-
Size
439KB
-
MD5
0644ffe8b0035e3fbe98057e9800e85d
-
SHA1
3ee09fac1dbb768c1fc1c8a75e67256a851b210a
-
SHA256
b213d9d8de44806565f51c6dcc0eca2468db564f19fc8651f505a32476ba8f31
-
SHA512
cc891aa8a29bf6cc680bf523d847f8ab40a3fc8c9a2213eb0721bfdbd58f694bd7f529b3c05d43539e0afe3e79bdf86fc281d0eaa71a81ff4712cfbe031ad408
-
SSDEEP
12288:cYnMa876yH8pllF6kNN4kWumNtTirdt9+T:cYMaeilF137GTEdvq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3816 windex.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\windex.exe 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe File opened for modification C:\Windows\windex.exe 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe File created C:\Windows\UNINSTAL.BAT 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4192 792 WerFault.exe 91 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 792 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe Token: SeDebugPrivilege 3816 windex.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3816 windex.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3816 wrote to memory of 1136 3816 windex.exe 94 PID 3816 wrote to memory of 1136 3816 windex.exe 94 PID 792 wrote to memory of 2652 792 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 100 PID 792 wrote to memory of 2652 792 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 100 PID 792 wrote to memory of 2652 792 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 7042⤵
- Program crash
PID:4192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT2⤵PID:2652
-
-
C:\Windows\windex.exeC:\Windows\windex.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 792 -ip 7921⤵PID:3056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3860,i,5229431749694857451,16836185654682871752,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:81⤵PID:4024
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5835e6160d55e1f8e4ac5928d54d29eef
SHA1e8b97c3d4c27da184ed670b57ec0d6f5361445b9
SHA2562dd29f40bafec2352611e4af2c582e2e60afe613dacdbc3153bfa6021de0e437
SHA512a21be038e0c156af2d3e0b0e7e78641b6b6eaf8bdbfafd7e064818bfe7b41b3db9fe9036ecc1f1e6ce31de876c1e6166ae78db1991ca3b4ee8baf8ac9fed4d00
-
Filesize
439KB
MD50644ffe8b0035e3fbe98057e9800e85d
SHA13ee09fac1dbb768c1fc1c8a75e67256a851b210a
SHA256b213d9d8de44806565f51c6dcc0eca2468db564f19fc8651f505a32476ba8f31
SHA512cc891aa8a29bf6cc680bf523d847f8ab40a3fc8c9a2213eb0721bfdbd58f694bd7f529b3c05d43539e0afe3e79bdf86fc281d0eaa71a81ff4712cfbe031ad408